plugx | 398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
Size

273KB
MD5

dc7d60cbdeafc23065fc7a507da9fe50
SHA1

3665297459c39bccced9923a1fd4a6fcbead2797
SHA256

398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429
SHA512

301c9ab6628b830d5ea50574fc429be708be14a68d2b060d43cc6561ba31608c08f58af73811053613e6ba46eaa2945edd0d9242b03f6b513a1db0dc2fec8205

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1424-76-0x0000000000370000-0x00000000003A1000-memory.dmp	family_plugx
behavioral1/memory/1904-78-0x00000000004D0000-0x0000000000501000-memory.dmp	family_plugx
behavioral1/memory/2028-79-0x00000000002B0000-0x00000000002E1000-memory.dmp	family_plugx
behavioral1/memory/932-85-0x0000000000260000-0x0000000000291000-memory.dmp	family_plugx
behavioral1/memory/2028-86-0x00000000002B0000-0x00000000002E1000-memory.dmp	family_plugx
behavioral1/memory/932-87-0x0000000000260000-0x0000000000291000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1904	chrome_frame_helper.exe
1424	chrome_frame_helper.exe

Deletes itself 1 IoCs

pid	Process
2028	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
1904	chrome_frame_helper.exe
1424	chrome_frame_helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004400330043003300410042004300410041003500450033003400360033000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
932	msiexec.exe
2028	svchost.exe
2028	svchost.exe
932	msiexec.exe
932	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	chrome_frame_helper.exe
Token: SeTcbPrivilege	1904	chrome_frame_helper.exe
Token: SeDebugPrivilege	1424	chrome_frame_helper.exe
Token: SeTcbPrivilege	1424	chrome_frame_helper.exe
Token: SeDebugPrivilege	2028	svchost.exe
Token: SeTcbPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	932	msiexec.exe
Token: SeTcbPrivilege	932	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1836 wrote to memory of 1904	1836	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	28
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 1424 wrote to memory of 2028	1424	chrome_frame_helper.exe	30
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31
PID 2028 wrote to memory of 932	2028	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
"C:\Users\Admin\AppData\Local\Temp\398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1904

C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2028
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
4e4706d14d299fe6cebd8acca2fae669

SHA1
ec590ed87de2b336c0fbb5d2bfc3c44636bd0dd5

SHA256
8422bedc8ddd18928ffb8a244cff554e5e7d81557daf396b71bfa3e12fce8884

SHA512
94c1e59c2d426d51dbae1fa7890b856988f11c6d346c87e361a817683c1bb57367ecc5423feaf46f423e91ceec3eba1c58db165974205ef37cb11891b6ad9f8e

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
dac42643182c6a8505c3bd6c038290a5

SHA1
e60a05bf78881597dbb1677733a2fa921fd2b3cb

SHA256
2966895fb93dc9606a89698c7e95ad2f7c28461733b502e4c53173874d06f858

SHA512
48622a045f618edbd20be9640c6e9ca1c2f550d918514ab149411d3229f96e4a799bd3b89e21e28be97babbb00ba34fb1c26ff19cc3c66e136ea77688f541b6e

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.dll.hlp

Filesize
121KB

MD5
feca16416fa0de1c0aa04a5ec95dd3b9

SHA1
461a758bcfe2e66ddeacdf229acccb9c68c741ac

SHA256
8521dca581b9a9fb82355bb7660c5d1811359558536b49e39ea68aa9f5f5db0a

SHA512
ae343c9b3657c39164dd3f2b4252b9af3bd7e64282fc146cab6d9928b272be609d1564a33835b33bcdd01e6bb743f29ad1f7d2abe0e0d220b3367e41a49af6a3

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll.hlp

Filesize
121KB

MD5
feca16416fa0de1c0aa04a5ec95dd3b9

SHA1
461a758bcfe2e66ddeacdf229acccb9c68c741ac

SHA256
8521dca581b9a9fb82355bb7660c5d1811359558536b49e39ea68aa9f5f5db0a

SHA512
ae343c9b3657c39164dd3f2b4252b9af3bd7e64282fc146cab6d9928b272be609d1564a33835b33bcdd01e6bb743f29ad1f7d2abe0e0d220b3367e41a49af6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
\ProgramData\chrome_frame_helper\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
memory/932-87-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/932-85-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1424-76-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download
memory/1424-75-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/1836-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1904-78-0x00000000004D0000-0x0000000000501000-memory.dmp

Filesize
196KB

Download
memory/2028-79-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/2028-71-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/2028-86-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download